You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Ravi Kumar <ra...@tibco.com.INVALID> on 2021/01/13 09:36:40 UTC

Can we get Digest Authentication with TOMCAT 7

Hi Tomcat Team,

I am using a Tomcat based webserver container for our web application. All
the deplyoment and other task taken care using TOMCAT 7.10.105.

Currently we are using the BASIC Authentication for the Manager and tomcat
web application.
Can we migrate and use DIGEST Authentication for the same ?  What are the
suggested and recommended way to implement and using DIGEST Authentication
with TOMCAT 7 web applications?

Your valuable assistance is much appreciated.

Regards,
Ravi

Re: Can we get Digest Authentication with TOMCAT 7

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Mark and Ravi,

On 1/13/21 04:59, Mark Thomas wrote:
> On 13/01/2021 09:36, Ravi Kumar wrote:
>> Hi Tomcat Team,
>>
>> I am using a Tomcat based webserver container for our web application. All
>> the deplyoment and other task taken care using TOMCAT 7.10.105.
> 
> Tomcat 7.0.x will reach end of life on 31 March 2021.
> 
>> Currently we are using the BASIC Authentication for the Manager and tomcat
>> web application.
>> Can we migrate and use DIGEST Authentication for the same ?
> 
> Yes.
> 
>> What are the
>> suggested and recommended way to implement and using DIGEST Authentication
>> with TOMCAT 7 web applications?
> 
> Simply replace "<auth-method>BASIC</auth-method>" in the application's
> web.xml file with "<auth-method>DIGEST</auth-method>"
> 
>> Your valuable assistance is much appreciated.
> 
> If you are storing passwords in digest form note the following:
> http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#Digested_Passwords
> 
> Generally, you are better off switching from BASIC+http to BASIC+https
> rather than DIGEST+http.

+1

> If you are already using BASIC+https then
> switching to DIGEST+https is unlikely to gain you anything.

Switching to HTTP DIGEST authentication is a net loss in security 
because the passwords must be stored insecurely.

Please note that there can be confusion between HTTP DIGEST 
authentication (which is an authentication scheme) and using "digested" 
(aka hashed) passwords in your password database. HTTP DIGEST precludes 
the use of (properly) digested passwords in your database, and digested 
(hashed) passwords in your password database is a Best Practice.

With HTTP DIGEST authentication, the server must have access to the 
value of MD5(username:realm:password). This can either be done by 
storing the password in plaintext (insecure!) or storing the value of 
MD5(username:realm:password) which is also insecure.

MD5(username:realm:password) is insecure because the MD5 hashing 
algorithm is considered weak and also both the username and realm name 
will be known to any potential attacker.

Note that this criticism is not against HTTP DIGEST authentication 
itself, as the communication of the credential material can be 
considered secure even though it is using insecure cryptographic 
primitives (specifically, MD5). This is a criticism about the *storage 
requirements* on the server-side.

If the user database were to be compromised, password recovery is not 
sufficiently mitigated because you cannot use proper hashing on the 
stored credentials. Industry best practices are currently to use 
"salted" and "iterated" hashes of stored credentials, neither of which 
can be used with HTTP DIGEST.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Can we get Digest Authentication with TOMCAT 7

Posted by Mark Thomas <ma...@apache.org>.

On 13/01/2021 09:36, Ravi Kumar wrote:
> Hi Tomcat Team,
> 
> I am using a Tomcat based webserver container for our web application. All
> the deplyoment and other task taken care using TOMCAT 7.10.105.

Tomcat 7.0.x will reach end of life on 31 March 2021.

> Currently we are using the BASIC Authentication for the Manager and tomcat
> web application.
> Can we migrate and use DIGEST Authentication for the same ?

Yes.

> What are the
> suggested and recommended way to implement and using DIGEST Authentication
> with TOMCAT 7 web applications?

Simply replace "<auth-method>BASIC</auth-method>" in the application's
web.xml file with "<auth-method>DIGEST</auth-method>"

> Your valuable assistance is much appreciated.

If you are storing passwords in digest form note the following:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#Digested_Passwords

Generally, you are better off switching from BASIC+http to BASIC+https
rather than DIGEST+http. If you are already using BASIC+https then
switching to DIGEST+https is unlikely to gain you anything.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org